Standard scans

  • Most common and basic:
nmap -sC -T4 -p- HOST > sC.txt
  • Alternative:
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.10 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 
nmap -p$ports -sC -sV 10.10.10.138

ICMP

  • The machine does not respond to ping:
nmap -sV -PS -sC -T4 -p- HOST > scan.txt 

TTL responses

Credits to Cronicasdeuninformatico

  • Linux/Unix: 64
  • Windows: 128
  • MacOS: 64
  • Solaris/AIX: 254
  • FreeBSD: 64

HTB Cheatsheet

Scanning Options

Nmap OptionDescription
10.10.10.0/24Target network range.
-snDisables port scanning.
-PnDisables ICMP Echo Requests
-nDisables DNS Resolution.
-PEPerforms the ping scan by using ICMP Echo Requests against the target.
--packet-traceShows all packets sent and received.
--reasonDisplays the reason for a specific result.
--disable-arp-pingDisables ARP Ping Requests.
--top-ports=<num>Scans the specified top ports that have been defined as most frequent.
-p-Scan all ports.
-p22-110Scan all ports between 22 and 110.
-p22,25Scans only the specified ports 22 and 25.
-FScans top 100 ports.
-sSPerforms an TCP SYN-Scan.
-sAPerforms an TCP ACK-Scan.
-sUPerforms an UDP Scan.
-sVScans the discovered services for their versions.
-sCPerform a Script Scan with scripts that are categorized as โ€œdefaultโ€.
--script <script>Performs a Script Scan by using the specified scripts.
-OPerforms an OS Detection Scan to determine the OS of the target.
-APerforms OS Detection, Service Detection, and traceroute scans.
-D RND:5Sets the number of random Decoys that will be used to scan the target.
-eSpecifies the network interface that is used for the scan.
-S 10.10.10.200Specifies the source IP address for the scan.
-gSpecifies the source port for the scan.
--dns-server <ns>DNS resolution is performed by using a specified name server.

Output Options

Nmap OptionDescription
-oA filenameStores the results in all available formats starting with the name of โ€œfilenameโ€.
-oN filenameStores the results in normal format with the name โ€œfilenameโ€.
-oG filenameStores the results in โ€œgrepableโ€ format with the name of โ€œfilenameโ€.
-oX filenameStores the results in XML format with the name of โ€œfilenameโ€.

If we save it in .xml then we can create an html rom it like:

xsltproc scan.xml -o scan.html

Performance Options

Nmap OptionDescription
--max-retries <num>Sets the number of retries for scans of specific ports.
--stats-every=5sDisplays scanโ€™s status every 5 seconds.
-v/-vvDisplays verbose output during the scan.
--initial-rtt-timeout 50msSets the specified time value as initial RTT timeout.
--max-rtt-timeout 100msSets the specified time value as maximum RTT timeout.
--min-rate 300Sets the number of packets that will be sent simultaneously.
-T <0-5>Specifies the specific timing template.